| 36.2.svchosts.exe.400000.0.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
| 36.2.svchosts.exe.400000.0.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x11034:$name: Remcos
- 0x118a8:$name: Remcos
- 0x118fb:$name: REMCOS
- 0x10688:$time: %02i:%02i:%02i:%03i
- 0x11320:$time: %02i:%02i:%02i:%03i
- 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 ...
|
| 36.2.svchosts.exe.400000.0.raw.unpack | Remcos | detect Remcos in memory | JPCERT/CC Incident Response Group | - 0x11034:$remcos: Remcos
- 0x118a8:$remcos: Remcos
- 0x118e0:$url: Breaking-Security.Net
- 0x160ea:$resource: SETTINGS
|
| 36.2.svchosts.exe.400000.0.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x114dc:$funcs1: autogetofflinelogs
- 0x114c0:$funcs2: clearlogins
- 0x114f0:$funcs3: getofflinelogs
- 0x11578:$funcs4: execcom
- 0x114cc:$funcs5: deletekeylog
- 0x11798:$funcs6: remscriptexecd
- 0x115bc:$funcs7: getwindows
- 0x10da0:$funcs8: fundlldata
- 0x10d78:$funcs9: getfunlib
- 0x107ec:$funcs10: autofflinelogs
- 0x113b8:$funcs11: getclipboard
- 0x114b4:$funcs12: getscrslist
- 0x107e0:$funcs13: offlinelogs
- 0x105c8:$funcs14: getcamsingleframe
- 0x116e4:$funcs15: listfiles
- 0x115e0:$funcs16: getproclist
- 0x10828:$funcs17: onlinelogs
- 0x11700:$funcs18: getdrives
- 0x11784:$funcs19: remscriptsuccess
- 0x10600:$funcs20: getcamframe
- 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
|
| 36.2.svchosts.exe.400000.0.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
| 36.2.svchosts.exe.400000.0.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x11034:$name: Remcos
- 0x118a8:$name: Remcos
- 0x118fb:$name: REMCOS
- 0x10688:$time: %02i:%02i:%02i:%03i
- 0x11320:$time: %02i:%02i:%02i:%03i
- 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 ...
|
| 36.2.svchosts.exe.400000.0.unpack | Remcos | detect Remcos in memory | JPCERT/CC Incident Response Group | - 0x11034:$remcos: Remcos
- 0x118a8:$remcos: Remcos
- 0x118e0:$url: Breaking-Security.Net
- 0x160ea:$resource: SETTINGS
|
| 36.2.svchosts.exe.400000.0.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x114dc:$funcs1: autogetofflinelogs
- 0x114c0:$funcs2: clearlogins
- 0x114f0:$funcs3: getofflinelogs
- 0x11578:$funcs4: execcom
- 0x114cc:$funcs5: deletekeylog
- 0x11798:$funcs6: remscriptexecd
- 0x115bc:$funcs7: getwindows
- 0x10da0:$funcs8: fundlldata
- 0x10d78:$funcs9: getfunlib
- 0x107ec:$funcs10: autofflinelogs
- 0x113b8:$funcs11: getclipboard
- 0x114b4:$funcs12: getscrslist
- 0x107e0:$funcs13: offlinelogs
- 0x105c8:$funcs14: getcamsingleframe
- 0x116e4:$funcs15: listfiles
- 0x115e0:$funcs16: getproclist
- 0x10828:$funcs17: onlinelogs
- 0x11700:$funcs18: getdrives
- 0x11784:$funcs19: remscriptsuccess
- 0x10600:$funcs20: getcamframe
- 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
|
| 22.2.svchosts.exe.2ff0a64.1.raw.unpack | SUSP_Modified_SystemExeFileName_in_File | Detecst a variant of a system file name often used by attackers to cloak their activity | Florian Roth | - 0xe3bc:$s1: svchosts.exe
- 0xe47c:$s1: svchosts.exe
- 0x12024:$s1: svchosts.exe
- 0x120e4:$s1: svchosts.exe
|
| 33.2.svchosts.exe.400000.0.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
| 33.2.svchosts.exe.400000.0.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x11034:$name: Remcos
- 0x118a8:$name: Remcos
- 0x118fb:$name: REMCOS
- 0x10688:$time: %02i:%02i:%02i:%03i
- 0x11320:$time: %02i:%02i:%02i:%03i
- 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 ...
|
| 33.2.svchosts.exe.400000.0.raw.unpack | Remcos | detect Remcos in memory | JPCERT/CC Incident Response Group | - 0x11034:$remcos: Remcos
- 0x118a8:$remcos: Remcos
- 0x118e0:$url: Breaking-Security.Net
- 0x160ea:$resource: SETTINGS
|
| 33.2.svchosts.exe.400000.0.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x114dc:$funcs1: autogetofflinelogs
- 0x114c0:$funcs2: clearlogins
- 0x114f0:$funcs3: getofflinelogs
- 0x11578:$funcs4: execcom
- 0x114cc:$funcs5: deletekeylog
- 0x11798:$funcs6: remscriptexecd
- 0x115bc:$funcs7: getwindows
- 0x10da0:$funcs8: fundlldata
- 0x10d78:$funcs9: getfunlib
- 0x107ec:$funcs10: autofflinelogs
- 0x113b8:$funcs11: getclipboard
- 0x114b4:$funcs12: getscrslist
- 0x107e0:$funcs13: offlinelogs
- 0x105c8:$funcs14: getcamsingleframe
- 0x116e4:$funcs15: listfiles
- 0x115e0:$funcs16: getproclist
- 0x10828:$funcs17: onlinelogs
- 0x11700:$funcs18: getdrives
- 0x11784:$funcs19: remscriptsuccess
- 0x10600:$funcs20: getcamframe
- 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
|
| 17.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.400000.0.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
| 17.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.400000.0.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x11034:$name: Remcos
- 0x118a8:$name: Remcos
- 0x118fb:$name: REMCOS
- 0x10688:$time: %02i:%02i:%02i:%03i
- 0x11320:$time: %02i:%02i:%02i:%03i
- 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 ...
|
| 17.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.400000.0.unpack | Remcos | detect Remcos in memory | JPCERT/CC Incident Response Group | - 0x11034:$remcos: Remcos
- 0x118a8:$remcos: Remcos
- 0x118e0:$url: Breaking-Security.Net
- 0x160ea:$resource: SETTINGS
|
| 17.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.400000.0.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x114dc:$funcs1: autogetofflinelogs
- 0x114c0:$funcs2: clearlogins
- 0x114f0:$funcs3: getofflinelogs
- 0x11578:$funcs4: execcom
- 0x114cc:$funcs5: deletekeylog
- 0x11798:$funcs6: remscriptexecd
- 0x115bc:$funcs7: getwindows
- 0x10da0:$funcs8: fundlldata
- 0x10d78:$funcs9: getfunlib
- 0x107ec:$funcs10: autofflinelogs
- 0x113b8:$funcs11: getclipboard
- 0x114b4:$funcs12: getscrslist
- 0x107e0:$funcs13: offlinelogs
- 0x105c8:$funcs14: getcamsingleframe
- 0x116e4:$funcs15: listfiles
- 0x115e0:$funcs16: getproclist
- 0x10828:$funcs17: onlinelogs
- 0x11700:$funcs18: getdrives
- 0x11784:$funcs19: remscriptsuccess
- 0x10600:$funcs20: getcamframe
- 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
|
| 23.2.svchosts.exe.4107268.3.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
| 23.2.svchosts.exe.4107268.3.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x11034:$name: Remcos
- 0x118a8:$name: Remcos
- 0x118fb:$name: REMCOS
- 0x10688:$time: %02i:%02i:%02i:%03i
- 0x11320:$time: %02i:%02i:%02i:%03i
- 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 ...
|
| 23.2.svchosts.exe.4107268.3.raw.unpack | Remcos | detect Remcos in memory | JPCERT/CC Incident Response Group | - 0x11034:$remcos: Remcos
- 0x118a8:$remcos: Remcos
- 0x118e0:$url: Breaking-Security.Net
- 0x160ea:$resource: SETTINGS
|
| 22.2.svchosts.exe.4267268.3.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
| 22.2.svchosts.exe.4267268.3.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x11034:$name: Remcos
- 0x118a8:$name: Remcos
- 0x118fb:$name: REMCOS
- 0x10688:$time: %02i:%02i:%02i:%03i
- 0x11320:$time: %02i:%02i:%02i:%03i
- 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 ...
|
| 22.2.svchosts.exe.4267268.3.unpack | Remcos | detect Remcos in memory | JPCERT/CC Incident Response Group | - 0x11034:$remcos: Remcos
- 0x118a8:$remcos: Remcos
- 0x118e0:$url: Breaking-Security.Net
- 0x160ea:$resource: SETTINGS
|
| 22.2.svchosts.exe.4267268.3.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x114dc:$funcs1: autogetofflinelogs
- 0x114c0:$funcs2: clearlogins
- 0x114f0:$funcs3: getofflinelogs
- 0x11578:$funcs4: execcom
- 0x114cc:$funcs5: deletekeylog
- 0x11798:$funcs6: remscriptexecd
- 0x115bc:$funcs7: getwindows
- 0x10da0:$funcs8: fundlldata
- 0x10d78:$funcs9: getfunlib
- 0x107ec:$funcs10: autofflinelogs
- 0x113b8:$funcs11: getclipboard
- 0x114b4:$funcs12: getscrslist
- 0x107e0:$funcs13: offlinelogs
- 0x105c8:$funcs14: getcamsingleframe
- 0x116e4:$funcs15: listfiles
- 0x115e0:$funcs16: getproclist
- 0x10828:$funcs17: onlinelogs
- 0x11700:$funcs18: getdrives
- 0x11784:$funcs19: remscriptsuccess
- 0x10600:$funcs20: getcamframe
- 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
|
| 0.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.3977268.4.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
| 0.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.3977268.4.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x11034:$name: Remcos
- 0x118a8:$name: Remcos
- 0x118fb:$name: REMCOS
- 0x10688:$time: %02i:%02i:%02i:%03i
- 0x11320:$time: %02i:%02i:%02i:%03i
- 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 ...
|
| 0.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.3977268.4.raw.unpack | Remcos | detect Remcos in memory | JPCERT/CC Incident Response Group | - 0x11034:$remcos: Remcos
- 0x118a8:$remcos: Remcos
- 0x118e0:$url: Breaking-Security.Net
- 0x160ea:$resource: SETTINGS
|
| 0.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.3977268.4.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
| 0.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.3977268.4.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x11034:$name: Remcos
- 0x118a8:$name: Remcos
- 0x118fb:$name: REMCOS
- 0x10688:$time: %02i:%02i:%02i:%03i
- 0x11320:$time: %02i:%02i:%02i:%03i
- 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 ...
|
| 0.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.3977268.4.unpack | Remcos | detect Remcos in memory | JPCERT/CC Incident Response Group | - 0x11034:$remcos: Remcos
- 0x118a8:$remcos: Remcos
- 0x118e0:$url: Breaking-Security.Net
- 0x160ea:$resource: SETTINGS
|
| 0.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.3977268.4.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x114dc:$funcs1: autogetofflinelogs
- 0x114c0:$funcs2: clearlogins
- 0x114f0:$funcs3: getofflinelogs
- 0x11578:$funcs4: execcom
- 0x114cc:$funcs5: deletekeylog
- 0x11798:$funcs6: remscriptexecd
- 0x115bc:$funcs7: getwindows
- 0x10da0:$funcs8: fundlldata
- 0x10d78:$funcs9: getfunlib
- 0x107ec:$funcs10: autofflinelogs
- 0x113b8:$funcs11: getclipboard
- 0x114b4:$funcs12: getscrslist
- 0x107e0:$funcs13: offlinelogs
- 0x105c8:$funcs14: getcamsingleframe
- 0x116e4:$funcs15: listfiles
- 0x115e0:$funcs16: getproclist
- 0x10828:$funcs17: onlinelogs
- 0x11700:$funcs18: getdrives
- 0x11784:$funcs19: remscriptsuccess
- 0x10600:$funcs20: getcamframe
- 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
|
| 23.2.svchosts.exe.4107268.3.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
| 23.2.svchosts.exe.4107268.3.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x11034:$name: Remcos
- 0x118a8:$name: Remcos
- 0x118fb:$name: REMCOS
- 0x10688:$time: %02i:%02i:%02i:%03i
- 0x11320:$time: %02i:%02i:%02i:%03i
- 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 ...
|
| 23.2.svchosts.exe.4107268.3.unpack | Remcos | detect Remcos in memory | JPCERT/CC Incident Response Group | - 0x11034:$remcos: Remcos
- 0x118a8:$remcos: Remcos
- 0x118e0:$url: Breaking-Security.Net
- 0x160ea:$resource: SETTINGS
|
| 23.2.svchosts.exe.4107268.3.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x114dc:$funcs1: autogetofflinelogs
- 0x114c0:$funcs2: clearlogins
- 0x114f0:$funcs3: getofflinelogs
- 0x11578:$funcs4: execcom
- 0x114cc:$funcs5: deletekeylog
- 0x11798:$funcs6: remscriptexecd
- 0x115bc:$funcs7: getwindows
- 0x10da0:$funcs8: fundlldata
- 0x10d78:$funcs9: getfunlib
- 0x107ec:$funcs10: autofflinelogs
- 0x113b8:$funcs11: getclipboard
- 0x114b4:$funcs12: getscrslist
- 0x107e0:$funcs13: offlinelogs
- 0x105c8:$funcs14: getcamsingleframe
- 0x116e4:$funcs15: listfiles
- 0x115e0:$funcs16: getproclist
- 0x10828:$funcs17: onlinelogs
- 0x11700:$funcs18: getdrives
- 0x11784:$funcs19: remscriptsuccess
- 0x10600:$funcs20: getcamframe
- 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
|
| 25.2.svchosts.exe.3cc7268.4.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
| 25.2.svchosts.exe.3cc7268.4.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x11034:$name: Remcos
- 0x118a8:$name: Remcos
- 0x118fb:$name: REMCOS
- 0x10688:$time: %02i:%02i:%02i:%03i
- 0x11320:$time: %02i:%02i:%02i:%03i
- 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 ...
|
| 25.2.svchosts.exe.3cc7268.4.unpack | Remcos | detect Remcos in memory | JPCERT/CC Incident Response Group | - 0x11034:$remcos: Remcos
- 0x118a8:$remcos: Remcos
- 0x118e0:$url: Breaking-Security.Net
- 0x160ea:$resource: SETTINGS
|
| 25.2.svchosts.exe.3cc7268.4.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x114dc:$funcs1: autogetofflinelogs
- 0x114c0:$funcs2: clearlogins
- 0x114f0:$funcs3: getofflinelogs
- 0x11578:$funcs4: execcom
- 0x114cc:$funcs5: deletekeylog
- 0x11798:$funcs6: remscriptexecd
- 0x115bc:$funcs7: getwindows
- 0x10da0:$funcs8: fundlldata
- 0x10d78:$funcs9: getfunlib
- 0x107ec:$funcs10: autofflinelogs
- 0x113b8:$funcs11: getclipboard
- 0x114b4:$funcs12: getscrslist
- 0x107e0:$funcs13: offlinelogs
- 0x105c8:$funcs14: getcamsingleframe
- 0x116e4:$funcs15: listfiles
- 0x115e0:$funcs16: getproclist
- 0x10828:$funcs17: onlinelogs
- 0x11700:$funcs18: getdrives
- 0x11784:$funcs19: remscriptsuccess
- 0x10600:$funcs20: getcamframe
- 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
|
| 22.2.svchosts.exe.4267268.3.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
| 22.2.svchosts.exe.4267268.3.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x11034:$name: Remcos
- 0x118a8:$name: Remcos
- 0x118fb:$name: REMCOS
- 0x10688:$time: %02i:%02i:%02i:%03i
- 0x11320:$time: %02i:%02i:%02i:%03i
- 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 ...
|
| 22.2.svchosts.exe.4267268.3.raw.unpack | Remcos | detect Remcos in memory | JPCERT/CC Incident Response Group | - 0x11034:$remcos: Remcos
- 0x118a8:$remcos: Remcos
- 0x118e0:$url: Breaking-Security.Net
- 0x160ea:$resource: SETTINGS
|
| 31.2.svchosts.exe.400000.0.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
| 31.2.svchosts.exe.400000.0.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x11034:$name: Remcos
- 0x118a8:$name: Remcos
- 0x118fb:$name: REMCOS
- 0x1582b:$name: remcos
- 0x10688:$time: %02i:%02i:%02i:%03i
- 0x11320:$time: %02i:%02i:%02i:%03i
- 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 ...
|
| 31.2.svchosts.exe.400000.0.unpack | Remcos | detect Remcos in memory | JPCERT/CC Incident Response Group | - 0x11034:$remcos: Remcos
- 0x118a8:$remcos: Remcos
- 0x118e0:$url: Breaking-Security.Net
- 0x160ea:$resource: SETTINGS
|
| 31.2.svchosts.exe.400000.0.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x114dc:$funcs1: autogetofflinelogs
- 0x114c0:$funcs2: clearlogins
- 0x114f0:$funcs3: getofflinelogs
- 0x11578:$funcs4: execcom
- 0x114cc:$funcs5: deletekeylog
- 0x11798:$funcs6: remscriptexecd
- 0x115bc:$funcs7: getwindows
- 0x10da0:$funcs8: fundlldata
- 0x10d78:$funcs9: getfunlib
- 0x107ec:$funcs10: autofflinelogs
- 0x113b8:$funcs11: getclipboard
- 0x114b4:$funcs12: getscrslist
- 0x107e0:$funcs13: offlinelogs
- 0x105c8:$funcs14: getcamsingleframe
- 0x116e4:$funcs15: listfiles
- 0x115e0:$funcs16: getproclist
- 0x10828:$funcs17: onlinelogs
- 0x11700:$funcs18: getdrives
- 0x11784:$funcs19: remscriptsuccess
- 0x10600:$funcs20: getcamframe
- 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
|
| 25.2.svchosts.exe.3cc7268.4.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
| 25.2.svchosts.exe.3cc7268.4.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x11034:$name: Remcos
- 0x118a8:$name: Remcos
- 0x118fb:$name: REMCOS
- 0x10688:$time: %02i:%02i:%02i:%03i
- 0x11320:$time: %02i:%02i:%02i:%03i
- 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 ...
|
| 25.2.svchosts.exe.3cc7268.4.raw.unpack | Remcos | detect Remcos in memory | JPCERT/CC Incident Response Group | - 0x11034:$remcos: Remcos
- 0x118a8:$remcos: Remcos
- 0x118e0:$url: Breaking-Security.Net
- 0x160ea:$resource: SETTINGS
|
| 25.2.svchosts.exe.2a50a64.1.raw.unpack | SUSP_Modified_SystemExeFileName_in_File | Detecst a variant of a system file name often used by attackers to cloak their activity | Florian Roth | - 0xe3bc:$s1: svchosts.exe
- 0xe47c:$s1: svchosts.exe
- 0x12024:$s1: svchosts.exe
- 0x120e4:$s1: svchosts.exe
|
| 23.2.svchosts.exe.2e90a64.1.raw.unpack | SUSP_Modified_SystemExeFileName_in_File | Detecst a variant of a system file name often used by attackers to cloak their activity | Florian Roth | - 0xe3bc:$s1: svchosts.exe
- 0xe47c:$s1: svchosts.exe
- 0x12024:$s1: svchosts.exe
- 0x120e4:$s1: svchosts.exe
|
| 33.2.svchosts.exe.400000.0.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
| 33.2.svchosts.exe.400000.0.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x11034:$name: Remcos
- 0x118a8:$name: Remcos
- 0x118fb:$name: REMCOS
- 0x10688:$time: %02i:%02i:%02i:%03i
- 0x11320:$time: %02i:%02i:%02i:%03i
- 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 ...
|
| 33.2.svchosts.exe.400000.0.unpack | Remcos | detect Remcos in memory | JPCERT/CC Incident Response Group | - 0x11034:$remcos: Remcos
- 0x118a8:$remcos: Remcos
- 0x118e0:$url: Breaking-Security.Net
- 0x160ea:$resource: SETTINGS
|
| 33.2.svchosts.exe.400000.0.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x114dc:$funcs1: autogetofflinelogs
- 0x114c0:$funcs2: clearlogins
- 0x114f0:$funcs3: getofflinelogs
- 0x11578:$funcs4: execcom
- 0x114cc:$funcs5: deletekeylog
- 0x11798:$funcs6: remscriptexecd
- 0x115bc:$funcs7: getwindows
- 0x10da0:$funcs8: fundlldata
- 0x10d78:$funcs9: getfunlib
- 0x107ec:$funcs10: autofflinelogs
- 0x113b8:$funcs11: getclipboard
- 0x114b4:$funcs12: getscrslist
- 0x107e0:$funcs13: offlinelogs
- 0x105c8:$funcs14: getcamsingleframe
- 0x116e4:$funcs15: listfiles
- 0x115e0:$funcs16: getproclist
- 0x10828:$funcs17: onlinelogs
- 0x11700:$funcs18: getdrives
- 0x11784:$funcs19: remscriptsuccess
- 0x10600:$funcs20: getcamframe
- 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
|
| 17.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.400000.0.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
| 17.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.400000.0.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x11034:$name: Remcos
- 0x118a8:$name: Remcos
- 0x118fb:$name: REMCOS
- 0x10688:$time: %02i:%02i:%02i:%03i
- 0x11320:$time: %02i:%02i:%02i:%03i
- 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 ...
|
| 17.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.400000.0.raw.unpack | Remcos | detect Remcos in memory | JPCERT/CC Incident Response Group | - 0x11034:$remcos: Remcos
- 0x118a8:$remcos: Remcos
- 0x118e0:$url: Breaking-Security.Net
- 0x160ea:$resource: SETTINGS
|
| 17.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.400000.0.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x114dc:$funcs1: autogetofflinelogs
- 0x114c0:$funcs2: clearlogins
- 0x114f0:$funcs3: getofflinelogs
- 0x11578:$funcs4: execcom
- 0x114cc:$funcs5: deletekeylog
- 0x11798:$funcs6: remscriptexecd
- 0x115bc:$funcs7: getwindows
- 0x10da0:$funcs8: fundlldata
- 0x10d78:$funcs9: getfunlib
- 0x107ec:$funcs10: autofflinelogs
- 0x113b8:$funcs11: getclipboard
- 0x114b4:$funcs12: getscrslist
- 0x107e0:$funcs13: offlinelogs
- 0x105c8:$funcs14: getcamsingleframe
- 0x116e4:$funcs15: listfiles
- 0x115e0:$funcs16: getproclist
- 0x10828:$funcs17: onlinelogs
- 0x11700:$funcs18: getdrives
- 0x11784:$funcs19: remscriptsuccess
- 0x10600:$funcs20: getcamframe
- 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
|
| 31.2.svchosts.exe.400000.0.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
| 31.2.svchosts.exe.400000.0.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x11034:$name: Remcos
- 0x118a8:$name: Remcos
- 0x118fb:$name: REMCOS
- 0x1582b:$name: remcos
- 0x10688:$time: %02i:%02i:%02i:%03i
- 0x11320:$time: %02i:%02i:%02i:%03i
- 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 ...
|
| 31.2.svchosts.exe.400000.0.raw.unpack | Remcos | detect Remcos in memory | JPCERT/CC Incident Response Group | - 0x11034:$remcos: Remcos
- 0x118a8:$remcos: Remcos
- 0x118e0:$url: Breaking-Security.Net
- 0x160ea:$resource: SETTINGS
|
| 31.2.svchosts.exe.400000.0.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x114dc:$funcs1: autogetofflinelogs
- 0x114c0:$funcs2: clearlogins
- 0x114f0:$funcs3: getofflinelogs
- 0x11578:$funcs4: execcom
- 0x114cc:$funcs5: deletekeylog
- 0x11798:$funcs6: remscriptexecd
- 0x115bc:$funcs7: getwindows
- 0x10da0:$funcs8: fundlldata
- 0x10d78:$funcs9: getfunlib
- 0x107ec:$funcs10: autofflinelogs
- 0x113b8:$funcs11: getclipboard
- 0x114b4:$funcs12: getscrslist
- 0x107e0:$funcs13: offlinelogs
- 0x105c8:$funcs14: getcamsingleframe
- 0x116e4:$funcs15: listfiles
- 0x115e0:$funcs16: getproclist
- 0x10828:$funcs17: onlinelogs
- 0x11700:$funcs18: getdrives
- 0x11784:$funcs19: remscriptsuccess
- 0x10600:$funcs20: getcamframe
- 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
|
| Click to see the 58 entries |